What is Azure VPN Gateway?

Azure VPN Gateway is azure network resource, which provides an endpoint for incoming connections
from on-premises environments.

What do Azure VPN Gateway?

1. It provides the encryption endpoint between azure virtual network and on-premises network
over the internet.
2. It sends encrypted traffic between Azure virtual networks and connected computes.
3. Each virtual network can have only one VPN gateway. All connections to that VPN gateway
share the available network bandwidth.
4. When you create a virtual network gateway, the provisioning process generates the gateway
VMs and deploys them to the gateway subnet and each virtual network gateway has two or
more virtual machines (VMs).
5. These VMs and the gateway subnet are similar to a hardened network device. You don't need to
configure these VMs directly and should not deploy any additional resources into the gateway
subnet.
6. VPN gateway contains routing tables for connections to other networks.

How many types of VPN gateway?

The gateway type determines the way the gateway functions. Options for VPN gateways include:

1. Network-to-network connections over IPsec/IKE VPN tunneling: - these types of VPN gateway
is used to link VPN gateways to other VPN gateways.
2. Cross-premises IPsec/IKE VPN tunneling: - these types of VPN gateway are used to create site-
to-site connections.
3. Point-to-site connections over IKEv2 or SSTP: - these types of VPN gateway are used to link
client computers to resources in Azure.

How to Plan a VPN gateway?

When you're planning a VPN gateway, there are three architectures to consider:

1. Point to site over the Internet

2. Site to site over the Internet
 3. Site to site over a dedicated network, such as Azure ExpressRoute

What are planning factors of VPN gateway?

Factors that you need to cover during your planning process include:

1. Throughput - Mbps or Gbps

2. Backbone - Internet or private?
3. Availability of a public (static) IP address
4. VPN device compatibility
5. Multiple client connections or a site-to-site link?
6. VPN gateway type
7. Azure VPN Gateway SKU

What are Gateway SKUs?

It's important that you choose the right SKU. If you have set up your VPN gateway with the wrong one,
you'll have to take it down and rebuild the gateway, which can be time consuming.

What is Workflow of VPN gateway?

When designing a cloud connectivity strategy using virtual private networking on Azure, you should
apply the following workflow:

1. Design your connectivity topology, listing the address spaces for all connecting networks.
2. Create an Azure virtual network.
3. Create a VPN gateway for the virtual network.
4. Create and configure connections to on-premises networks or other virtual networks, as
required.
5. If required, create and configure a point-to-site connection for your Azure VPN gateway.

What are Design considerations of VPN gateway?

When you design your VPN gateways to connect virtual networks, you must consider the following
factors:

1. Subnets cannot overlap.

2. It is vital that a subnet in one location does not contain the same address space as in another
location.
3. IP addresses must be unique.
4. You cannot have two hosts with the same IP address in different locations, as it will be
impossible to route traffic between those two hosts and the network-to-network connection will
fail.
5. VPN gateways need a gateway subnet called Gateway Subnet.
6. It must have this name for the gateway to work, and it should not contain any other resources.

How many types of the VPN gateway?

The type of VPN gateway you create will depend on your architecture. Options are:
 1. Route Based: - Allows for multiple VPNs via a single vNet Gateway. This is critical if you want to
set up a VPN-based mesh topology in Azure or to/from multiple on-premise sites.

Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding
tables direct traffic to different IPsec tunnels. Route-based connections are typically built on
router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual
tunnel interface).
2. Policy Based: - Only allows a single S2S VPN connection, either with an on-premise firewall or
with another vNet in Azure. No S2S mesh-type topologies possible. (Although vNet peering is an
option, but only within Azure. Your vNet Gateway can still only connect to a single on-premise
endpoint.
Policy-based VPN devices use the combinations of prefixes from both networks to define how
traffic is encrypted/decrypted through IPsec tunnels. A policy-based connection is typically built
on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are
added to the packet filtering and processing engine.

What are steps to set up a VPN gateway?

The steps you need to take will depend on the type of VPN gateway that you are installing. For example,
to create a point-to-site VPN gateway by using the Azure portal, you would carry out the following steps:

1. Create a virtual network

2. Add a gateway subnet
3. Specify a DNS server (optional)
4. Create a virtual network gateway
5. Generate certificates
6. Add the client address pool
7. Configure the tunnel type
8. Configure the authentication type
9. Upload the root certificate public certificate data
10. Install an exported client certificate
11. Generate and install the VPN client configuration package
12. Connect to Azure

What is Azure ExpressRoute?

ExpressRoute is a service that creates private connections between Azure datacenters and on-premises
datacenter without internet.

Microsoft Azure ExpressRoute enables organizations to extend their on-premises networks into the
Microsoft Cloud over a private connection implemented by a connectivity provider.

This arrangement means that the connectivity to the Azure datacenters doesn't go over the Internet but
across a dedicated link.

ExpressRoute also facilitates efficient connections with other Microsoft cloud-based services, such as
Microsoft 365 and Dynamics 365.
ExpressRoute Gateway: ExpressRoute Gateways are deployed in Azure region.

What are Advantages of ExpressRoute?

1. Faster speeds, from 50 Mbps to 10 Gbps, with dynamic bandwidth scaling

2. Lower latency
3. Greater reliability through built-in peering
4. Highly secure
5. Connectivity to all supported Azure services
6. Global connectivity to all regions (requires premium add-on)
7. Dynamic routing over Border Gateway Protocol
8. Service-level agreements (SLAs) for connection uptime
9. Quality of Service (QoS) for Skype for Business

What is ExpressRoute premium add-on?

The ExpressRoute premium add-on, which offers benefits such as

 Increased route limits

 Global service connectivity
 Increased virtual network links per circuit

What are connectivity models of ExpressRoute?

Connections into ExpressRoute can be through the following mechanisms:

1. IP VPN network (any-to-any)

2. Virtual cross-connection through an Ethernet exchange
3. Point-to-point Ethernet connection
4. Direct from ExpressRoute sites

What is Virtual cross-connection through an Ethernet Exchange?

This connectivity connects your offices to Microsoft cloud through your provider's Ethernet exchange.

These cross-connections to the Microsoft Cloud can operate at either layer 2 or layer 3 managed
connections, as in the networking OSI model.

What is Point-to-point Ethernet connection

A Point to Point Ethernet service is a private dedicated secure data connection that directly connects
your data center to Microsoft cloud.

It also provide layer 2 and layer 3 connections. We don’t need to encrypt data as it is very secure by
nature.

What is Any-to-any (IPVPN) networks?

This connectivity directly connects your office WAN (MPLS) to microsoft cloud. This connection is based
on IPVPN ( Internet Protocol Virtual Private Network ). This connection is based on IPVPN ( Internet
Protocol Virtual Private Network ). It is separated from the public internet, travelling packets via a
private connection to each remote site or branch office to make it look just like any other branch office.

It uses layer 3 connections.

What is Direct from ExpressRoute sites?

You can connect directly into the Microsoft's global network at a peering location strategically
distributed across the world. ExpressRoute Direct provides dual 100 Gbps or 10-Gbps connectivity,
which supports Active/Active connectivity at scale.

What are ExpressRoute circuits?

An ExpressRoute circuit is the logical connection between your on-premises infrastructure and the
Microsoft Cloud. A connectivity provider implements that connection.

What is bandwidth of ExpressRoute circuits?

Each circuit has a fixed bandwidth of either 50, 100, 200 Mbps or 500 Mbps, or 1 Gbps or 10 Gbps.

How to connectivity is setup by ExpressRoute circuits?

Each of those circuits map to a connectivity provider and a peering location. In addition, each
ExpressRoute circuit has default quotas and limits. Each circuit is defined by a GUID, called
a service or s-key.

What is S-Key?

It is GUID of ExpressRoute circuits that provides the connectivity link between Microsoft, your
connectivity provider, and your organization - it isn't a cryptographic secret. Each s-key has a one-to-one
mapping to an Azure ExpressRoute circuit.
How many peering has a ExpressRoute circuits?

Each circuit can have up to two peerings, which are a pair of BGP sessions that are configured for
redundancy. They are:

 Azure private
 Microsoft

What is Azure private peering?

This is a bi-directional connection between your core on-premises network and one or more Azure
virtual networks. It uses a private peering domain to essentially extend your network directly into Azure,
creating secure, high-speed access to Azure cloud services and VMs.

Within each virtual network, you can have multiple subnets. You can also use peering to link multiple
virtual networks to each other. Furthermore, you can connect to an entire VNet fabric via one
ExpressRoute circuit (limits apply).

 You must configure the connection through a virtual network gateway.

 Each VNet can only have one gateway. A single VNet can connect to up to four ExpressRoute
circuits.
 The number of VNets you can connect to an ExpressRoute circuit depends on bandwidth and
whether you are using ExpressRoute Premium.

What is Microsoft peering?

Microsoft peering is a bi-directional connection between your on-premises network and select Microsoft
365 services.

The Microsoft peering option is quite a bit more complicated than Azure private peering. Before you can
initiate Microsoft 365/Office 365 traffic through an ExpressRoute circuit, you must first request
authorization from Microsoft

All traffic to Microsoft 365 must originate from a valid public IPv4 address. Do not advertise the same
public IP route to the public internet.
Routing domains

ExpressRoute circuits then map to routing domains, with each ExpressRoute circuit having multiple
routing domains.

These domains are the same as the two peerings listed above. In an active-active configuration, each
pair of routers would have each routing domain configured identically, thus providing high availability.
The Azure private peering names represent the IP addressing schemes.

How to monitor ExpressRoute health?

As with most features in Microsoft Azure, you can monitor ExpressRoute connections to ensure that
they are performing satisfactorily. Monitoring includes coverage of the following areas:

1. Availability
2. Connectivity to virtual networks
3. Bandwidth utilization

The key tool for this monitoring activity is Network Performance Monitor, particularly NPM for
ExpressRoute.

You need to connect Azure resources like Azure virtual machines across geographical regions. Which
Azure networking option should you use?

Use virtual network peering to connect virtual networks to each other so resources in either virtual
network can communicate with each other. The virtual networks you connect can be in different Azure
regions

For a point-to-site Azure VPN gateway, what are the key parameters that you must specify when you
create it?

Use the PowerShell cmdlet 'New-AzVirtualNetworkGateway' where you use parameters '-GatewayType
Vpn' and '-VpnType RouteBased'. Also set the '-GatewaySku' to the SKU that meets your organization's
network requirements.
Which peering configuration would you use for your Express route circuit where you need to allow
direct connections to Azure compute resources?

Azure private peering lets you directly connect to virtual machines and cloud services on their private IP
addresses.

Which protocol provides dynamic routing for Azure ExpressRoute?

Border Gateway Protocol is an industry-standard dynamic routing protocol that can exchange routes
between your on-premises network, your instances in Azure, and Microsoft public addresses.